From owner-freebsd-security  Mon Sep  9  7:49:42 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A5D9D37B401
	for <freebsd-security@FreeBSD.ORG>; Mon,  9 Sep 2002 07:49:36 -0700 (PDT)
Received: from mail.XtremeDev.com (xtremedev.com [216.241.38.65])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1B8B743E65
	for <freebsd-security@FreeBSD.ORG>; Mon,  9 Sep 2002 07:49:36 -0700 (PDT)
	(envelope-from bsd@xtremedev.com)
Received: from xtremedev.com (xtremedev.com [216.241.38.65])
	by mail.XtremeDev.com (Postfix) with ESMTP
	id 0CABD70601; Mon,  9 Sep 2002 08:49:35 -0600 (MDT)
Date: Mon, 9 Sep 2002 08:49:34 -0600 (MDT)
From: bsd@xtremedev.com
X-X-Sender: dave@Amber.XtremeDev.com
To: Adrian Filipi-Martin <adrian+freebsd-security@ubergeeks.com>
Cc: Benjamin Krueger <benjamin@seattleFenix.net>,
	Hans Zaunere <zaunere@yahoo.com>, <freebsd-security@FreeBSD.ORG>
Subject: Re: jail() House Rock
In-Reply-To: <20020909102116.M8908-100000@lorax.ubergeeks.com>
Message-ID: <20020909084601.K27444-100000@Amber.XtremeDev.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

> 	A reasonable solution is to block access to the jailed filesystems
> from non-jailed accounts.  Just do the following:
>
> 	install -m u=rwx,go= -d /usr/fence
> 	install -d /usr/fence/jail
>
> 	Then use the fenced off directory as your jail root.  We are
> successfully running desktops with multiple developer jails in this sort of
> configuration and things work great.  This exclued anyone but root from
> using suid binaries from a jail, and well, root's already root.

Er, I don't believe this solves the issue. If the user knows the full path
from the host system to the suid binary s/he created in the jail, s/he can
access it directly as a regular use in the host environment. Ie., typing
in:

/usr/fence/jail/usr/home/baduser/bin/rootshell

Please correct me if I'm wrong or if I've misunderstood.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message